Tuesday, May 14, 2013

Microsoft Update Tuesday: Update for IE8 0-day and More

Today is Update Tuesday and Microsoft is releasing updates for 33 CVEs across 10 bulletins. We'll be discussing some of the highlights here.

One of the most important updates (MS13-038) that is being released is for the recent 0-day in Internet Explorer, which was used in a watering hole attack on a Department of Labor internal website targeting Department of Energy employees. This vulnerability, CVE-2013-1347, affects IE8 and can allow an attacker to perform remote code execution via a use-after-free vulnerability. While it's currently not being exploited in any of the exploit kits that we monitor, Metasploit released an exploit for the vulnerability early last week. Sourcefire has detection for this vulnerability through SIDs 26569-26572.

Microsoft is also releasing a cumulative update for 11 other browser issues, including use-after-free vulnerabilities that could allow for remote code execution(MS13-037). These issues cover all supported IE versions, ranging from IE6 to IE10.

Publisher will also get updates for 11 issues that could allow for remote code execution (MS13-042). One slightly mitigating factor for these vulnerabilities is that they require a user to open the files in Publisher to be able to exploit them, so some user interaction is required as opposed to being exploitable by simply visiting a webpage. Two other products in the Office suite are also getting updates today: Word (MS13-043) is getting a fix for potential remote code execution vulnerability and Visio (MS13-044) is getting a fix for an information disclosure vulnerability. Both issues have similar mitigating factors to the Publisher vulnerability, requiring the user to load a maliciously crafted file.

Another interesting update fixes a DirectX Graphics Kernel Subsystem Double Fetch
Vulnerability (CVE-2013-1332, MS13-046) in a kernel mode driver discovered by Mateusz Jurczyk and Gynvael Coldwind using their tool bochspown, which they presented 3 weeks ago at SysScan '13. The vulnerabilities are basically the result of race conditions that are typical Time of Check to Time of Use (TOCTOU) vulnerabilities. More specifically the vulnerabilities are a result of a double-fetch, where the kernel retrieves a value from user mode, checks it and then retrieves the value from user mode again rather than using a cached copy. An attacker can modify the user-mode value between the time it is retrieved the first time and when it is retrieved again. If any checks occurred on the first fetch, they can no longer be considered valid on the second fetch. A typical example of an exploitable version of this vulnerability would be if a size for a copying function is retrieved from user-mode: it is checked to make sure the size is smaller than the destination memory's size, but during the call to the copy function the value is fetched again, resulting in an unchecked size being used. This can result in a buffer overflow if the attacker can change the value between the check and the use. Their tool found 89 potentially exploitable issues, 33 of which were not deemed exploitable, and 36 of which have already been fixed in various earlier Microsoft bulletins (MS13-016, MS13-017, MS13-031, MS13-036). Another 13 are considered local denial of services only. Today 1 more is being patched, leaving only 6 issues open according to Mateusz and Gynvael's SysScan slides.

Further updates cover an authentication bypass and an XML spoofing vulnerability in .NET (MS13-040). An important mitigating factor for the authentication bypass is that it requires non-standard configuration to be vulnerable. Another issue that is being updated is a vulnerability in Lync (MS13-041) that could allow an attacker to gain remote code execution during a session where the attacker shares content with a user. A mitigating factor for this vulnerability is that the user must accept an invitation from the attacker and must then view the content the attacker has shared.

The company is also releasing a fix for a denial of service vulnerability in HTTP.sys (MS13-039), Microsoft's kernel mode driver that handles the HTTP protocol stack for IIS since IIS6 and an update for an information disclosure vulnerability in Windows Live essentials (MS13-045).

As always, we are releasing rules today that detect many of these vulnerabilities through SIDs 26622-26642.